Brokered exploits are previously undisclosed software flaws — often "zero-days" — together with the code needed to weaponize them, that change hands through commercial brokers rather than being reported to the vendor or released publicly. Brokers act as middlemen: they vet sellers (independent researchers, exploit-development boutiques, or hacking crews), package the exploit with documentation and sometimes ongoing support, and resell it to buyers, typically intelligence agencies, militaries, law-enforcement bodies, and private offensive-security firms.
The market has both above-ground and grey-market layers. Public-facing brokers such as Zerodium and Crowdfense advertise standing bounties — Zerodium has publicly offered up to $2.5 million for full-chain Android zero-click exploits. Other transactions occur privately between contractors and state customers. Pricing reflects scarcity, reliability, target platform, and required user interaction; remote zero-click chains against hardened mobile operating systems command the highest prices.
Brokered exploits underpin much of the commercial spyware industry. Vendors like NSO Group (Pegasus), Intellexa (Predator), and Candiru source or develop exploit chains used to compromise journalists, activists, and officials — abuses documented by Citizen Lab and Amnesty International's Security Lab since the mid-2010s.
Policy responses have intensified:
- The Wassenaar Arrangement added "intrusion software" to its dual-use control list in 2013, prompting export-licensing requirements in participating states.
- The U.S. Commerce Department added NSO Group and Candiru to its Entity List in November 2021.
- President Biden's Executive Order 14093 (March 2023) restricted U.S. government use of commercial spyware that poses counterintelligence or human-rights risks.
- The Pall Mall Process, launched by the UK and France in February 2024, seeks multilateral norms on commercial cyber intrusion tools.
Critics argue brokering incentivizes stockpiling rather than patching, expanding the attack surface available to authoritarian buyers; defenders frame it as a legitimate procurement channel for lawful intercept capabilities.
Example
In 2019, Zerodium publicly raised its bounty for a zero-click Android exploit chain to $2.5 million, signaling that brokered-exploit prices for mobile targets had surpassed those for iOS.
Frequently asked questions
Bug bounties are paid by the affected vendor in exchange for disclosure and a patch. Brokered exploits are sold to third-party buyers who keep the flaw secret so it remains usable for offensive operations.
Keep learning